October 1, 2024 By Pieter Arntz
Ireland’s privacy watchdog Data Protection Commission (DPC) has fined Meta €91M ($101M) after the discovery in 2019 that Meta had stored 600 million Facebook and Instagram passwords in plaintext.
The DPC ruled that Meta was in violation of GDPR on several occasions related to this breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without delay, and failed to “document personal data breaches concerning the storage of user passwords in plaintext.”
The DPC also said that Meta violated GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
While the DPC does not disclose the number of passwords, several sources at the time quoted internal sources at Facebook who said 600 million password were freely accessible to employees. Most of these passwords belonged to Facebook Lite users, but it affected other Facebook and Instagram users as well.
Facebook found out that it logged the passwords in plaintext by mistake during a code review.
